Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A behavior inference model building apparatus, comprising: a storage, being configured to store a plurality of program operations sequence data, each of the program operation sequence data recording a plurality of program operation sequences; and a processor electrically connected to the storage, being configured to execute the following steps of: (a) converting the program operation sequences of each of the program operation sequence data into a plurality of word vectors through a word embedding model; (b) retrieving, for each of the program operation sequence data, first M word vectors of the word vectors as M input vectors of a Generative Adversarial Network (GAN) model f, M being a positive integer; (c) generating, for each of the program operation sequence data, a plurality of inference word vectors by computing the M input vectors through a generator of the GAN model; (d) performing, for each of the program operation sequence data, a real/fake discrimination between the word vectors and the inference word vectors through a discriminator of the GAN model; (e) backpropagating a discrimination result of the real/fake discrimination to the generator to adjust a parameter setting of the generator; (f) repeating the step (c) to the step (e) to train the GAN model to optimize the GAN model; and (g) integrating the word embedding model and the generator of the optimized GAN model to build a behavior inference model.
A behavior inference model building apparatus comprises storage for program operation sequence data and a processor. The processor converts program operation sequences from this data into word vectors using a word embedding model. It then retrieves the first M word vectors as inputs for a Generative Adversarial Network (GAN) model. The GAN's generator creates inference word vectors, which are then discriminated against the original word vectors by the GAN's discriminator. The discrimination result is backpropagated to adjust the generator's parameters. This training process for the GAN is repeated until optimized. Finally, the apparatus integrates the word embedding model and the optimized GAN generator to construct the behavior inference model.
2. The behavior inference model building apparatus of claim 1 , wherein the program operation sequences are a dynamic program operation sequence.
A behavior inference model building apparatus that builds a model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. In this apparatus, the program operation sequences processed are specifically *dynamic program operation sequences*, meaning they capture the runtime behavior of a program.
3. The behavior inference model building apparatus of claim 2 , wherein the dynamic program operation sequence is an Application Programming Interface (API) sequence.
A behavior inference model building apparatus that builds a model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. The program operation sequences are *dynamic program operation sequences*, which are specifically defined as *Application Programming Interface (API) sequences*, capturing calls made to system or library functions during execution.
4. The behavior inference model building apparatus of claim 2 , wherein the dynamic program operation sequence is a system call sequence.
A behavior inference model building apparatus that builds a model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. The program operation sequences are *dynamic program operation sequences*, which are specifically defined as *system call sequences*, recording direct interactions with the operating system kernel.
5. The behavior inference model building apparatus of claim 2 , wherein the dynamic program operation sequence is retrieved by a tracking program.
A behavior inference model building apparatus that builds a model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. The program operation sequences are *dynamic program operation sequences*, and these sequences are specifically *retrieved by a tracking program*, which monitors and records program activities.
6. The behavior inference model building apparatus of claim 1 , wherein the word embedding model is one of a Word-to-Vector (Word2Vec) model and a One-Hot Encoding model.
A behavior inference model building apparatus that builds a model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. For converting program operation sequences into word vectors, the *word embedding model* used is one of a *Word-to-Vector (Word2Vec) model* or a *One-Hot Encoding model*.
7. The behavior inference model building apparatus of claim 1 , wherein the program operation sequence data include a plurality of abnormal program operation sequence data, and each of the abnormal program operation sequence data is associated with a malicious program.
A behavior inference model building apparatus that builds a model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. In this apparatus, the *program operation sequence data* used for training *includes abnormal program operation sequence data*, where each piece of abnormal data is specifically *associated with a malicious program*.
8. The behavior inference model building apparatus of claim 1 , wherein the processor further integrates an abnormal behavior detection model, the word embedding model and the generator of the optimized GAN model to build the behavior inference model.
A behavior inference model building apparatus that builds a model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. This apparatus further *integrates an abnormal behavior detection model* alongside the word embedding model and the optimized GAN generator to construct the final behavior inference model.
9. The behavior inference model building apparatus of claim 8 , wherein the storage further stores a plurality of behavior labels, each of the program operation sequence data corresponding to one of the behavior labels, and the processor further executes the following steps of: clustering the word vectors of the program operation sequence data into a plurality of word vector groups based on a clustering algorithm; comparing the program operation sequences of each of the program operation sequence data severally with at least one of the program operation sequences corresponding to at least one of the word vectors included in each of the word vector groups to generate a feature vector of each of the program operation sequence data; performing a supervised learning of a classification algorithm to generate a classifier for classifying the feature vectors to correspond to the behavior labels based on the feature vectors and the behavior labels; and building the abnormal behavior detection model based on the word vector groups and the classifier.
A behavior inference model building apparatus that processes program operation sequences with word embeddings and a GAN to build a behavior inference model, and additionally integrates an *abnormal behavior detection model* into the final behavior inference model. To build this abnormal behavior detection model, the apparatus further stores behavior labels and performs the following: it *clusters the word vectors* of the program operation sequence data into groups using a clustering algorithm. It then *compares the program operation sequences* with those in the clusters to generate feature vectors for each data. A *supervised learning classification algorithm* is applied to these feature vectors and behavior labels to create a classifier. The abnormal behavior detection model is then built based on these word vector groups and the generated classifier.
10. The behavior inference model building apparatus of claim 9 , wherein the clustering algorithm is one of an Affinity Propagation (AP) clustering algorithm, a Spectral clustering algorithm, a Fuzzy C-means (FCM) clustering algorithm, an Iterative Self-Organizing Data Analysis Technique Algorithm (ISODATA) clustering algorithm, a K-means clustering algorithm, a Complete-Linkage (CL) clustering algorithm, a Single-Linkage (SL) clustering algorithm and a Ward's method clustering algorithm, and the classification algorithm is one of a Support Vector Machine (SVM) algorithm, a Decision Tree (DT) algorithm, a Bayes algorithm and a Nearest Neighbors (NN) algorithm.
A behavior inference model building apparatus that processes program operation sequences with word embeddings and a GAN to build a behavior inference model, further integrating an abnormal behavior detection model. This abnormal behavior detection model is built by clustering word vectors and then using a classification algorithm with behavior labels. Specifically, the *clustering algorithm* can be an Affinity Propagation (AP), Spectral, Fuzzy C-means (FCM), ISODATA, K-means, Complete-Linkage (CL), Single-Linkage (SL), or Ward's method algorithm. The *classification algorithm* can be a Support Vector Machine (SVM), Decision Tree (DT), Bayes, or Nearest Neighbors (NN) algorithm.
11. A behavior inference model building method for a behavior inference model building apparatus, the behavior inference model building apparatus comprising a storage and a processor, the storage storing a plurality of program operations sequence data, each of the program operation sequence data recording a plurality of program operation sequences, the behavior inference model building method being executed by the processor and comprising: (a) converting the program operation sequences of each of the program operation sequence data into a plurality of word vectors through a word embedding model; (b) retrieving, for each of the program operation sequence data, first M word vectors of the word vectors as M input vectors of a Generative Adversarial Network (GAN) model, wherein M being a positive integer; (c) generating, for each of the program operation sequence data, a plurality of inference word vectors by computing the M input vectors through a generator of the GAN model; (d) performing, for each of the program operation sequence data, a real/fake discrimination between the word vectors and the inference word vectors through a discriminator of the GAN model; (e) backpropagating a discrimination result of the real/fake discrimination to the generator to adjust a parameter setting of the generator; (f) repeating the step (c) to the step (e) to train the GAN model to optimize the GAN model; and (g) integrating the word embedding model and the generator of the optimized GAN model to build a behavior inference model.
A method for building a behavior inference model within an apparatus having storage and a processor. The method involves the processor converting program operation sequences from stored data into word vectors using a word embedding model. It then retrieves the first M word vectors as inputs for a Generative Adversarial Network (GAN) model. The GAN's generator creates inference word vectors, which are then discriminated against the original word vectors by the GAN's discriminator. The discrimination result is backpropagated to adjust the generator's parameters. This training process for the GAN is repeated until optimized. Finally, the method integrates the word embedding model and the optimized GAN generator to construct the behavior inference model.
12. The behavior inference model building method of claim 11 , wherein the program operation sequences are a dynamic program operation sequence.
A method for building a behavior inference model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. In this method, the program operation sequences processed are specifically *dynamic program operation sequences*, meaning they capture the runtime behavior of a program.
13. The behavior inference model building method of claim 12 , wherein the dynamic program operation sequence is an Application Programing Interface (API) sequence.
A method for building a behavior inference model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. The program operation sequences are *dynamic program operation sequences*, which are specifically defined as *Application Programming Interface (API) sequences*, capturing calls made to system or library functions during execution.
14. The behavior inference model building method of CIaEm 12 , wherein the dynamic program operation sequence is a system call sequence.
A method for building a behavior inference model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. The program operation sequences are *dynamic program operation sequences*, which are specifically defined as *system call sequences*, recording direct interactions with the operating system kernel.
15. The behavior inference model building method of claim 12 , wherein the dynamic program operation sequence is retrieved by a tracking program.
A method for building a behavior inference model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. The program operation sequences are *dynamic program operation sequences*, and these sequences are specifically *retrieved by a tracking program*, which monitors and records program activities.
16. The behavior inference model building method of claim 11 , wherein the word embedding model is one of a Word-to-Vector (Word2Vec) model and a One-Hot Encoding model.
A method for building a behavior inference model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. For converting program operation sequences into word vectors, the *word embedding model* used is one of a *Word-to-Vector (Word2Vec) model* or a *One-Hot Encoding model*.
17. The behavior inference model building method of claim 11 , wherein the program operation sequence data include a plurality of abnormal program operation sequence data, and each of the abnormal program operation sequence data is associated with a malicious program.
A method for building a behavior inference model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. In this method, the *program operation sequence data* used for training *includes abnormal program operation sequence data*, where each piece of abnormal data is specifically *associated with a malicious program*.
18. The behavior inference model budding method of claim 11 , wherein the processor further integrates an abnormal behavior detection model, the word embedding model and the generator of the optimized GAN model to build the behavior inference model.
A method for building a behavior inference model by processing program operation sequences with word embeddings and a GAN, and integrating the word embedding model and optimized GAN generator. This method further *integrates an abnormal behavior detection model* alongside the word embedding model and the optimized GAN generator to construct the final behavior inference model.
19. The behavior inference model building method of claim 18 , wherein the storage further stores a plurality of behavior labels, each of the program operation sequence data corresponding to one of the behavior labels, and the processor further executes the following steps of: clustering the word vectors of the program operation sequence data into a plurality of word vector groups based on a clustering algorithm; comparing the program operation sequences of each of the program operation sequence data severally with at least one of the program operation sequences corresponding to at least one of the word vectors included in each of the word vector groups to generate a feature vector of each of the program operation sequence data; performing a supervised learning of a classification algorithm to generate a classifier for classifying the feature vectors to correspond to the behavior labels based on the feature vectors and the behavior labels; and building the abnormal behavior detection model based on the word vector groups and the classifier.
A method for building a behavior inference model by processing program operation sequences with word embeddings and a GAN, and additionally integrating an *abnormal behavior detection model* into the final behavior inference model. To build this abnormal behavior detection model, the method involves storing behavior labels and performing the following: *clustering the word vectors* of the program operation sequence data into groups using a clustering algorithm. It then *comparing the program operation sequences* with those in the clusters to generate feature vectors for each data. A *supervised learning classification algorithm* is applied to these feature vectors and behavior labels to create a classifier. The abnormal behavior detection model is then built based on these word vector groups and the generated classifier.
20. The behavior inference model building method of claim 19 , wherein the clustering algorithm is one of an Affinity Propagation (AP) clustering algorithm, a Spectral clustering algorithm, a Fuzzy C-means (FCM) clustering algorithm, an Iterative Self-Organizing Data Analysis Technique Algorithm (ISODATA) clustering algorithm, a K-means clustering algorithm, a Complete-Linkage (CL) clustering algorithm, a Single-Linkage (SL) clustering algorithm and a Ward's method clustering algorithm, and the classification algorithm is one of a Support Vector Machine (SVM) algorithm, a Decision Tree (DT) algorithm, a Bayes algorithm and a Nearest Neighbors (NN) algorithm.
A method for building a behavior inference model by processing program operation sequences with word embeddings and a GAN, further integrating an abnormal behavior detection model. This abnormal behavior detection model is built by clustering word vectors and then using a classification algorithm with behavior labels. Specifically, the *clustering algorithm* can be an Affinity Propagation (AP), Spectral, Fuzzy C-means (FCM), ISODATA, K-means, Complete-Linkage (CL), Single-Linkage (SL), or Ward's method algorithm. The *classification algorithm* can be a Support Vector Machine (SVM), Decision Tree (DT), Bayes, or Nearest Neighbors (NN) algorithm.
Unknown
August 4, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.